Latin America. All establishments, from shops, SMEs, travel agencies, must be aware that the only way to protect themselves from reducing the risk against fraud is to mitigate their position in relation to cybersecurity through PCI-DSS certification.
The security of information is the responsibility of everyone in the chain of handling card payments, it is a shared responsibility of both merchants and service providers, as well as financial institutions to legislators, must ensure the protection of it for their customers. The rise of e-commerce opened a window of duties and demands from those who buy and sell in the industry, says Hector Guillermo Martinez, President of GM Security Technologies.
The payment card industry's data security standard, PCI-DSS 3.2, is a set of requirements that govern how organizations manage card information in the payment process, as well as other cardholder data and information. "Importantly, meeting PCI-DSS requirements is not just about passing an audit annually; rather, it has become a real urgency in terms of the protection of customer data and information, and even to avoid incurring fines, which could in some cases, become the cessation of its operations."
"Merchants, financial institutions and service providers are subjected annually to a cost related to non-compliance equivalent to 2.71 times the cost of implementing internal controls and/or complying with the requirements of PCI DSS 3.2, not counting the rest of the costs associated with business interruption, productivity losses, fines and penalties, penalties and liquidation expenses, among others. "Organizations that do not have an adequate and robust security ecosystem, which allows them to effectively safeguard their customers' data, face the risk of losing their competitive capacity in an increasingly agile and sophisticated market."
A process with specific guidelines
It is the duty of every organization to defend the rights of the cardholder, and for this it is essential to protect the data of the holder, through the implementation of a security system and practices recognized in the industry that starts from the retention and elimination of information, the use and implementation of established policies; in addition to the encryption of sensitive data and the transmission of data through encrypted keys, even when systems that use SSL / TLS are used and the inclusion of training and awareness to the collaborators who handle this data.
Also, be on guard against external threats, through firewall in each connection and on each device; which should be reviewed at least every 6 months, handling the possibility of blocking untrusted connections, as well as identifying a system administrator and limiting the functions of a server for which they are absolutely necessary to perform their objectives. All components in the ecosystem must be protected against viruses and malwares, updating the measures regularly and only by administrators.
Companies must also protect themselves against insider threats, restricting access to cardholder data, through access policies only for employees responsible for the area and up to the level they need to perform the functions for which they were hired, requesting documented approval by their authorizers. In addition, all established user accounts, including vendors and third parties, particularly those of administrators, should be monitored. Also the accounts must be deactivated after several failed access attempts or immediately after the need to have granted them is completed.
All access to the network, resources and data of cardholders should be monitored and tracked, through the implementation of log, monitoring and audit systems for all devices and components in the ecosystem, establishing alerts that facilitate the investigation and resolution of suspicious activities. Having a response plan for incidents and situations that allows and speeds up the investigation of events as well as all administrator actions, login attempts, account changes and pauses in the audit trail; in addition to ensuring that information related to these audit logs can be available for at least one year with the last three months available quickly for investigation and analysis.
It is also vital to run internal and external penetration tests, correcting and retesting any exploitable risks found, implementing change detection tools that alert staff to any unauthorized modifications of files and components on critical systems, and comparing their files at least weekly.
Maintain strict compliance with all protection elements determined by the Payment Card Industry Data Security Standard, PCI DSS 3.2, as well as security updates and patches, intrusion identification, access management, secure software development, employee awareness; and the development of a complete protection strategy, is an obligation that if not fulfilled could mean great losses and significant penalties, which could very well be effectively disposed of with the hiring of a Qualified Security Advisor by the PCI DSS (PCI-QSA), concludes Martínez.
